Solved

Open port for VPN?

Posted on 2006-11-09
15
5,158 Views
Last Modified: 2009-07-29
I have a consultant who is working remotely from inside his company and tried to access our network using CISCO VPN. I sent him instructions how to use it but he gets a message that he is not authorized. I tried to VPN from my house using his account and worked like a charm. Do you think he needs to open a port over there where he is? Thanks!
0
Comment
Question by:Bob Macpherson
15 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17908006
First check if IPSEC pass-through is enabled on his network device through which he comes and connects to you.

Cheers,
Rajesh
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17909512
Also make sure the subnet from which he is connecting is not the same a the office. For example if the your main office were to use 192.168.1.x the site from which he is connecting must use something else such as 192.168.2.x
0
 
LVL 11

Expert Comment

by:billwharton
ID: 17911735
Claudelu

Please ask the consultant for the EXACT ERROR Message he is getting. Preferrably and if possible, the Cisco VPN client allows for logging and you can turn on logging by going to Log -> Log settings and setting all values to High

Next, Log -> Log window and then try connecting.

If you paste the log in here, we can pretty much trace the exact cause of the problem and help you out
0
 

Author Comment

by:Bob Macpherson
ID: 17914383
He told me he has the same problem when he tries to VPN from home, so it must be his laptop, I will ask him to get me the log
0
 

Author Comment

by:Bob Macpherson
ID: 17914487
Thanks for your help.  This is the log when attempted from home.

Cisco Systems VPN Client Version 4.6.01.0019
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      08:42:52.675  11/10/06  Sev=Info/4    CM/0x63100002
Begin connection process

2      08:42:52.855  11/10/06  Sev=Info/4    CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      08:42:52.855  11/10/06  Sev=Info/4    CM/0x63100004
Establish secure connection using Ethernet

4      08:42:52.855  11/10/06  Sev=Info/4    CM/0x63100024
Attempt connection with server "12.196.85.227"

5      08:42:53.866  11/10/06  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 12.196.85.227.

6      08:42:53.866  11/10/06  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Nat-T), VID(Frag), VID(Unity)) to 12.196.85.227

7      08:42:53.876  11/10/06  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started

8      08:42:53.876  11/10/06  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

9      08:42:53.937  11/10/06  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 12.196.85.227

10     08:42:53.937  11/10/06  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity),
VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from
12.196.85.227

11     08:42:53.937  11/10/06  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer

12     08:42:53.937  11/10/06  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH

13     08:42:53.937  11/10/06  Sev=Info/5    IKE/0x63000001
Peer supports DPD

14     08:42:53.937  11/10/06  Sev=Info/5    IKE/0x63000001
Peer supports NAT-T

15     08:42:53.937  11/10/06  Sev=Info/5    IKE/0x63000001
Peer supports IKE fragmentation payloads

16     08:42:53.937  11/10/06  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful

17     08:42:53.937  11/10/06  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D,
NAT-D, VID(?), VID(Unity)) to 12.196.85.227

18     08:42:53.937  11/10/06  Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA

19     08:42:53.937  11/10/06  Sev=Info/4    IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

20     08:42:53.937  11/10/06  Sev=Info/5    IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

21     08:42:53.937  11/10/06  Sev=Info/4    CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated
IKE SA in the system

22     08:42:53.977  11/10/06  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 12.196.85.227

23     08:42:53.977  11/10/06  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.196.85.227

24     08:42:53.977  11/10/06  Sev=Info/4    CM/0x63100015
Launch xAuth application

25     08:42:59.615  11/10/06  Sev=Info/4    CM/0x63100017
xAuth application returned

26     08:42:59.615  11/10/06  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.196.85.227

27     08:42:59.675  11/10/06  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 12.196.85.227

28     08:42:59.675  11/10/06  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.196.85.227

29     08:42:59.675  11/10/06  Sev=Info/4    CM/0x63100015
Launch xAuth application

30     08:43:02.609  11/10/06  Sev=Info/4    CM/0x63100017
xAuth application returned

31     08:43:02.609  11/10/06  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.196.85.227

32     08:43:02.679  11/10/06  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 12.196.85.227

33     08:43:02.679  11/10/06  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.196.85.227

34     08:43:02.679  11/10/06  Sev=Info/4    CM/0x63100015
Launch xAuth application

35     08:43:04.161  11/10/06  Sev=Info/6    IKE/0x63000055
Sent a keepalive on the IPSec SA

36     08:43:06.435  11/10/06  Sev=Info/4    CM/0x63100017
xAuth application returned

37     08:43:06.435  11/10/06  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.196.85.227

38     08:43:06.485  11/10/06  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 12.196.85.227

39     08:43:06.485  11/10/06  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.196.85.227

40     08:43:06.485  11/10/06  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.196.85.227

41     08:43:06.485  11/10/06  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=DF80CA197E11B81B
R_Cookie=9C69CF13D5FCFB03) reason = DEL_REASON_WE_FAILED_AUTH

42     08:43:06.485  11/10/06  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 12.196.85.227

43     08:43:06.525  11/10/06  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 12.196.85.227

44     08:43:06.525  11/10/06  Sev=Info/4    IKE/0x63000058
Received an ISAKMP message for a non-active SA,
I_Cookie=DF80CA197E11B81B R_Cookie=9C69CF13D5FCFB03

45     08:43:06.525  11/10/06  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 12.196.85.227

46     08:43:07.166  11/10/06  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=DF80CA197E11B81B
R_Cookie=9C69CF13D5FCFB03) reason = DEL_REASON_WE_FAILED_AUTH

47     08:43:07.166  11/10/06  Sev=Info/4    CM/0x63100014
Unable to establish Phase 1 SA with server "12.196.85.227" because of
"DEL_REASON_WE_FAILED_AUTH"

48     08:43:07.166  11/10/06  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

49     08:43:07.186  11/10/06  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

50     08:43:07.226  11/10/06  Sev=Info/4    IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

51     08:43:07.246  11/10/06  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

52     08:43:07.246  11/10/06  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

53     08:43:07.246  11/10/06  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

54     08:43:07.246  11/10/06  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
LVL 11

Accepted Solution

by:
billwharton earned 500 total points
ID: 17914556
It seems the consultant is using an incorrect group name or password. Do this:

Since you stated that you were able to successfully connect with his credentials from your home, go to this folder on your home computer
G:\Program Files\Cisco Systems\VPN Client\Profiles

And copy the .pcf file which you successfully connected with the consultant's credentials

Email him the .pcf file and tell him to copy it to his G:\Program Files\Cisco Systems\VPN Client\Profiles

Now, ask him to try; it should work
0
 

Author Comment

by:Bob Macpherson
ID: 17939999
I sent him my file and he wrote it over and tried again, but he still did not succed, here is the log

> 58     15:53:41.391  11/13/06  Sev=Info/4             CM/0x63100002
> Begin connection process
>
> 59     15:53:41.411  11/13/06  Sev=Info/4             CVPND/0xE3400001
> Microsoft IPSec Policy Agent service stopped successfully
>
> 60     15:53:41.411  11/13/06  Sev=Info/4             CM/0x63100004
> Establish secure connection using Ethernet
>
> 61     15:53:41.411  11/13/06  Sev=Info/4             CM/0x63100024
> Attempt connection with server "12.196.85.227"
>
> 62     15:53:42.413  11/13/06  Sev=Info/6             IKE/0x6300003B
> Attempting to establish a connection with 12.196.85.227.
>
> 63     15:53:42.423  11/13/06  Sev=Info/4             IKE/0x63000013
> SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 12.196.85.227
>
> 64     15:53:42.423  11/13/06  Sev=Info/4             IPSEC/0x63700008
> IPSec driver successfully started
>
> 65     15:53:42.423  11/13/06  Sev=Info/4             IPSEC/0x63700014
> Deleted all keys
>
> 66     15:53:42.543  11/13/06  Sev=Info/5             IKE/0x6300002F
> Received ISAKMP packet: peer = 12.196.85.227
>
> 67     15:53:42.543  11/13/06  Sev=Info/4             IKE/0x63000014
> RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 12.196.85.227
>
> 68     15:53:42.543  11/13/06  Sev=Info/5             IKE/0x63000001
> Peer is a Cisco-Unity compliant peer
>
> 69     15:53:42.543  11/13/06  Sev=Info/5             IKE/0x63000001
> Peer supports XAUTH
>
> 70     15:53:42.543  11/13/06  Sev=Info/5             IKE/0x63000001
> Peer supports DPD
>
> 71     15:53:42.543  11/13/06  Sev=Info/5             IKE/0x63000001
> Peer supports NAT-T
>
> 72     15:53:42.543  11/13/06  Sev=Info/5             IKE/0x63000001
> Peer supports IKE fragmentation payloads
>
> 73     15:53:42.553  11/13/06  Sev=Info/6             IKE/0x63000001
> IOS Vendor ID Contruction successful
>
> 74     15:53:42.553  11/13/06  Sev=Info/4             IKE/0x63000013
> SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 12.196.85.227
>
> 75     15:53:42.553  11/13/06  Sev=Info/6             IKE/0x63000055
> Sent a keepalive on the IPSec SA
>
> 76     15:53:42.553  11/13/06  Sev=Info/4             IKE/0x63000083
> IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194
>
> 77     15:53:42.553  11/13/06  Sev=Info/5             IKE/0x63000072
> Automatic NAT Detection Status:
>    Remote end is NOT behind a NAT device
>    This   end IS behind a NAT device
>
> 78     15:53:42.553  11/13/06  Sev=Info/4             CM/0x6310000E
> Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
>
> 79     15:53:42.673  11/13/06  Sev=Info/5             IKE/0x6300002F
> Received ISAKMP packet: peer = 12.196.85.227
>
> 80     15:53:42.673  11/13/06  Sev=Info/4             IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.196.85.227
>
> 81     15:53:42.673  11/13/06  Sev=Info/4             CM/0x63100015
> Launch xAuth application
>
> 82     15:53:45.447  11/13/06  Sev=Info/4             CM/0x63100017
> xAuth application returned
>
> 83     15:53:45.447  11/13/06  Sev=Info/4             IKE/0x63000013
> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.196.85.227
>
> 84     15:53:45.537  11/13/06  Sev=Info/5             IKE/0x6300002F
> Received ISAKMP packet: peer = 12.196.85.227
>
> 85     15:53:45.537  11/13/06  Sev=Info/4             IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.196.85.227
>
> 86     15:53:45.537  11/13/06  Sev=Info/4             CM/0x63100015
> Launch xAuth application
>
> 87     15:53:49.052  11/13/06  Sev=Info/4             CM/0x63100017
> xAuth application returned
>
> 88     15:53:49.052  11/13/06  Sev=Info/4             IKE/0x63000013
> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.196.85.227
>
> 89     15:53:49.232  11/13/06  Sev=Info/5             IKE/0x6300002F
> Received ISAKMP packet: peer = 12.196.85.227
>
> 90     15:53:49.232  11/13/06  Sev=Info/4             IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.196.85.227
>
> 91     15:53:49.232  11/13/06  Sev=Info/4             CM/0x63100015
> Launch xAuth application
>
> 92     15:53:51.155  11/13/06  Sev=Info/4             CM/0x63100017
> xAuth application returned
>
> 93     15:53:51.155  11/13/06  Sev=Info/4             IKE/0x63000013
> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.196.85.227
>
> 94     15:53:51.255  11/13/06  Sev=Info/5             IKE/0x6300002F
> Received ISAKMP packet: peer = 12.196.85.227
>
> 95     15:53:51.255  11/13/06  Sev=Info/4             IKE/0x63000014
> RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 12.196.85.227
>
> 96     15:53:51.255  11/13/06  Sev=Info/4             IKE/0x63000013
> SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 12.196.85.227
>
> 97     15:53:51.255  11/13/06  Sev=Info/4             IKE/0x63000017
> Marking IKE SA for deletion  (I_Cookie=5E17E83694C477B9 R_Cookie=E0C170E057FDCA36) reason = DEL_REASON_WE_FAILED_AUTH
>
> 98     15:53:51.255  11/13/06  Sev=Info/4             IKE/0x63000013
> SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 12.196.85.227
>
> 99     15:53:51.365  11/13/06  Sev=Info/5             IKE/0x6300002F
> Received ISAKMP packet: peer = 12.196.85.227
>
> 100    15:53:51.365  11/13/06  Sev=Info/4             IKE/0x63000058
> Received an ISAKMP message for a non-active SA, I_Cookie=5E17E83694C477B9 R_Cookie=E0C170E057FDCA36
>
> 101    15:53:51.365  11/13/06  Sev=Info/4             IKE/0x63000014
> RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 12.196.85.227
>
> 102    15:53:51.856  11/13/06  Sev=Info/4             IKE/0x6300004B
> Discarding IKE SA negotiation (I_Cookie=5E17E83694C477B9 R_Cookie=E0C170E057FDCA36) reason = DEL_REASON_WE_FAILED_AUTH
>
> 103    15:53:51.856  11/13/06  Sev=Info/4             CM/0x63100014
> Unable to establish Phase 1 SA with server "12.196.85.227" because of "DEL_REASON_WE_FAILED_AUTH"
>
> 104    15:53:51.856  11/13/06  Sev=Info/5             CM/0x63100025
> Initializing CVPNDrv
>
> 105    15:53:51.896  11/13/06  Sev=Info/4             IKE/0x63000001
> IKE received signal to terminate VPN connection
>
> 106    15:53:51.906  11/13/06  Sev=Info/4             IKE/0x63000086
> Microsoft IPSec Policy Agent service started successfully
>
> 107    15:53:51.906  11/13/06  Sev=Info/4             IPSEC/0x63700014
> Deleted all keys
>
> 108    15:53:51.916  11/13/06  Sev=Info/4             IPSEC/0x63700014
> Deleted all keys
>
> 109    15:53:51.916  11/13/06  Sev=Info/4             IPSEC/0x63700014
> Deleted all keys
>
> 110    15:53:51.916  11/13/06  Sev=Info/4             IPSEC/0x6370000A
> IPSec driver successfully stopped
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 11

Expert Comment

by:billwharton
ID: 17940843
What's on the corporate side? A VPN concentrator? What's the code running on it?
0
 

Author Comment

by:Bob Macpherson
ID: 17940973
I checked my connections and I have a Local Area Connector for a CISCO VPN Adapter, which was created when I installed the software. He does not have that connection, I told him to reinstall the software, see if that helps.
0
 
LVL 11

Expert Comment

by:billwharton
ID: 17941005
Get him to install the latest version. I believe it's 4.8
0
 
LVL 11

Expert Comment

by:billwharton
ID: 17941006
Also, what are the answers to my questions?

Thx
0
 

Author Comment

by:Bob Macpherson
ID: 17941309
We have a CISCO firewall and we manage the users through Cisco ASDM 5.2 for ASA. The version of the software I sent him is 4.8
0
 
LVL 11

Expert Comment

by:billwharton
ID: 17947105
Did that work out for your consultant? If not, to proceed I'll need to see the logs from the ASDM. Go into the logging section and send me the ISAKMP & IPSEC logs for the duration when the consultant tries to connect
0
 

Expert Comment

by:gbautista34
ID: 20622820
I have a new question related to this...  

I have a workstation that will connect to our network via VPN.  I need to know once we allow access via our PIX firewall, what port to open so that this user can access a server file share.  I have one directory on this server that the user needs to read write to.  That's it.  He's asking me what port he needs to open.  HELP!  Thanks.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now